Update net/third_party/nss to NSS 3.15.4.

net/third_party/nss/patches/peercertchain2.patch

-Index: net/third_party/nss/ssl/ssl.h
-===================================================================
---- net/third_party/nss/ssl/ssl.h       (revision 225295)
-+++ net/third_party/nss/ssl/ssl.h       (working copy)
-@@ -434,6 +434,15 @@
- */
- SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
- 
-+/*
-+** Return the certificates presented by the SSL peer. If the SSL peer
-+** did not present certificates, return NULL with the
-+** SSL_ERROR_NO_CERTIFICATE error. On failure, return NULL with an error
-+** code other than SSL_ERROR_NO_CERTIFICATE.
-+**     "fd" the socket "file" descriptor
-+*/
-+SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
-+
- /* SSL_PeerStapledOCSPResponses returns the OCSP responses that were provided
-  * by the TLS server. The return value is a pointer to an internal SECItemArray
-  * that contains the returned OCSP responses; it is only valid until the
-@@ -463,18 +472,6 @@
-                            SSLKEAType kea);
- 
- /*
--** Return references to the certificates presented by the SSL peer.
--** |maxNumCerts| must contain the size of the |certs| array. On successful
--** return, |*numCerts| contains the number of certificates available and
--** |certs| will contain references to as many certificates as would fit.
--** Therefore if |*numCerts| contains a value less than or equal to
--** |maxNumCerts|, then all certificates were returned.
--*/
--SSL_IMPORT SECStatus SSL_PeerCertificateChain(
--       PRFileDesc *fd, CERTCertificate **certs,
--       unsigned int *numCerts, unsigned int maxNumCerts);
--
--/*
- ** Authenticate certificate hook. Called when a certificate comes in
- ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
- ** certificate.
-Index: net/third_party/nss/ssl/sslauth.c
-===================================================================
---- net/third_party/nss/ssl/sslauth.c   (revision 225295)
-+++ net/third_party/nss/ssl/sslauth.c   (working copy)
-@@ -28,38 +28,43 @@
- }
- 
- /* NEED LOCKS IN HERE.  */
--SECStatus
--SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs,
--                        unsigned int *numCerts, unsigned int maxNumCerts)
-+CERTCertList *
-+SSL_PeerCertificateChain(PRFileDesc *fd)
- {
-     sslSocket *ss;
--    ssl3CertNode* cur;
-+    CERTCertList *chain = NULL;
-+    CERTCertificate *cert;
-+    ssl3CertNode *cur;
- 
-     ss = ssl_FindSocket(fd);
-     if (!ss) {
-        SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
-                 SSL_GETPID(), fd));
--       return SECFailure;
-+       return NULL;
-     }
--    if (!ss->opt.useSecurity)
--       return SECFailure;
--
--    if (ss->sec.peerCert == NULL) {
--      *numCerts = 0;
--      return SECSuccess;
-+    if (!ss->opt.useSecurity || !ss->sec.peerCert) {
-+       PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
-+       return NULL;
-     }
--
--    *numCerts = 1;  /* for the leaf certificate */
--    if (maxNumCerts > 0)
--       certs[0] = CERT_DupCertificate(ss->sec.peerCert);
--
-+    chain = CERT_NewCertList();
-+    if (!chain) {
-+       return NULL;
-+    }
-+    cert = CERT_DupCertificate(ss->sec.peerCert);
-+    if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
-+       goto loser;
-+    }
-     for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
--       if (*numCerts < maxNumCerts)
--           certs[*numCerts] = CERT_DupCertificate(cur->cert);
--       (*numCerts)++;
-+       cert = CERT_DupCertificate(cur->cert);
-+       if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
-+           goto loser;
-+       }
-     }
-+    return chain;
- 
--    return SECSuccess;
-+loser:
-+    CERT_DestroyCertList(chain);
-+    return NULL;
- }
- 
- /* NEED LOCKS IN HERE.  */